| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <469CC690.1080802@matteoflora.com> Date: Tue, 17 Jul 2007 15:39:28 +0200 From: MgpF <mf@...teoflora.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [0x70xB] Open Redirector ARIANNA.LIBERO.IT ### VULNERABILITY INTERNAL IDENTIFICATION NUMBER: 0x70xB - - - - - - - --------------------------------------------------- DESCRIPTION - - - - - - - --------------------------------------------------- An XSS OPEN REDIRECTOR vulnerability has been found on Libero's arianna.it, one of the most important Italian Portals and Search Engines. (arianna.libero.it). The vulnerability can be found in the "News" section of Libero's Arianna portal, and the affected functionality an unchecked parameter named "uc" in "ltrace_news" page/function. By changing the "uc" parameter it is possible to arbitrarily redirect a user to any site the attecher want to use. Affected payload is: 1) arbitrary redirection for Phishing purpose The normal URL would be something linked like this: <http://arianna.libero.it/news/cgi-bin/ltrace_news?id=115&pg=-1 &qi=2000-01-01-00:00:00&li=h&wu=-1&wl=-1&nf=-1&ct=0&nl=-1&ip=X &rg=7&sq=1&wb=5542388&ml=3&uc=XXX> where "XXX" is the page to be redirected to. - - - - - - - --------------------------------------------------- POC - - - - - - - --------------------------------------------------- By changing the parameter it is possible to alter the drop page. For example: <http://arianna.libero.it/news/cgi-bin/ltrace_news?id=115&pg=-1 &qi=2000-01-01-00:00:00&li=h&wu=-1&wl=-1&nf=-1&ct=0&nl=-1&ip=X &rg=7&sq=1&wb=5542388&ml=3&uc=http%3A%2F%2Fwww.matteoflora.com> will redirect the user to "http://www.matteoflora.com". A POC url is available (until not deleted or fixed) here: <http://arianna.libero.it/news/cgi-bin/ltrace_news?id=115&pg=-1 &qi=2000-01-01-00:00:00&li=h&wu=-1&wl=-1&nf=-1&ct=0&nl=-1&ip=X &rg=7&sq=1&wb=5542388&ml=3&uc=http%3A%2F%2Fwww.matteoflora.com> - - - - - - - --------------------------------------------------- SOLUTION - - - - - - - --------------------------------------------------- Forcibly checking the parameter value to be an internal page can easly solve the problem, while the better idea is probably to use a lookup table or URLs used and passing only an ID. An IN DEPTH review of the code by an Application Security Expert is STRONGLY suggested. - - - - - - - --------------------------------------------------- CONCLUSION - - - - - - - --------------------------------------------------- The impact of this vulnerability is MODERATE for PHISHING and SCAM pourpose and VERY LOW for system integrity. Greetings, MgpF - - - - - - - --------------------------------------------------- TIMELINE - - - - - - - --------------------------------------------------- Initial Finding : 2007-04-20 VENDOR DISCLOSURE : 2007-05-30 (management contact) VENDOR Solving : 2007-06-30 PUBLIC DISCLOSURE : 2007-07-17 - - - - - - -- Matteo G.P. Flora | mf@...teoflora.com | www.MatteoFlora.com Sec & Forensics Guy | PGP F3B6BC10 | blog www.LastKnight.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists